Thought Leadership

GDPR: Q&A with our Data Protection Officer

February 27, 2018

By Silvia Gorra

GDPR, the EU General Data Protection Regulation, is making news headlines every day, and for the right reasons. There are a lot of opinions shared via trade press, social media or at events where our favourite 4 letter acronym is omnipresent. With the regulation almost upon us (it goes into effect on 25 May), now is the perfect time to catch up with our Data Protection Officer, Eve Filip, to understand what it entails for the ad tech space and how Rubicon Project has been working with vendors, sellers and buyers.

Does GDPR affect ad tech companies, like Rubicon Project, even though they don’t process data points like names, phone numbers, and email addresses?

Eve: Yes. Generally speaking, the GDPR applies to the collection, use, and disclosure of data relating to an identified or identifiable end user in the European Union. This includes device-related identifiers like IP addresses, unique device IDs, and cookie IDs, which the GDPR describes as “pseudonymous” forms of personal data. This type of information is commonly collected and processed as part of the way digital advertising is delivered. The law still applies to our business even though we do not process names, phone numbers, etc.

So does GDPR require consent for online advertising?

Eve: The GDPR requires a legal basis for processing a data subject’s personal data. Under the GDPR, “processing” is defined broadly to include virtually any automated process that touches data. In ad tech, for example, this includes delivery and receipt of data in publishers’ ad requests and buyers’ bids. Consent from the data subject is one way to satisfy the requirement for a legal basis to process personal data, but the law provides other bases as well. One such alternative legal basis for processing, which many ad tech companies have said they will rely upon, is the right to process personal data to further the companies’ own “legitimate interests” or those of a third party, as long as doing so won’t adversely infringe on the fundamental rights and freedoms of the data subject. It’s important to note, however, that separate and apart from GDPR, the EU ePrivacy Directive independently requires consent for companies to place cookies or otherwise access a user’s device. This type of consent, which is currently generally obtained through “cookie banners”, is still required.

It seems all focused on the European Economic Area. Can then companies based outside the EMEA ignore GDPR?

Eve: That is not advisable. GDPR actually applies to any personal data about a data subject in the EEA, even if the publisher is a US company. It is difficult for companies involved in digital advertising to segregate all traffic involving users in the EU, so most larger ad tech companies will probably take an integrated, uniform compliance approach.

How have you been working with our customers in the past months to address GDPR?

Eve: We have been working with customers in various capacities. We have been answering questions about our GDPR compliance plan and helping to support their efforts at compliance. We have also prepared various materials to help our customers understand the impact of the regulation. We have also been separately vetting all of our buyers and vendors on the platform to ensure that they can adequately protect European personal data.

And finally, being an expert on this topic, what are the best sources of information you would point people to?

Eve: The Article 29 Working Party is a European advisory board that issues guidance regarding regulatory interpretation. The IAB EU is also a great resource. They are developing a transparency and consent framework and have issued supporting documentation around this new tool.